Flowing gMSA accounts into MIM Portal

Identity 4 Minutes

The purpose for this document is to guide someone through adding Group Managed Service Accounts (gMSA) into the MIM Portal.  At my customer, we have started utilizing gMSA’s more and more as opposed to regular service accounts.  With increased usage this means that gMSA’s are showing up as members of various Security Groups. 

Anyone who has used MIM Portal extensively knows that when you add an unmanaged object to a managed object, MIM will strip out that unmanaged object when a sync happens. For example, in Active Directory, adding a gMSA to a MIM-managed Security group.  The quick answer to this problem is to start managing the gMSA(s).  Unfortunately, this is not a quick process to start managing the gMSA.  There are a number of steps to complete this process.  The tasks outlined below will walk you through how to manage gMSA’s in your MIM environment.

NOTE: Apologies in Task 4 and 5 concerning the images. I encountered some problems placing the images where I wanted to so I put them at the top of the section to not interfere with the ordered lists.

Task 1: Add msDS-GroupManagedServiceAccount to the MIM Portal Schema

  1. Launch the MIM Portal as a MIM Administrator.
  2. Click Administration from the Navigation pane.
  3. Click Schema Management.
  4. Stay on All Resources
  5. Click NewA screenshot of a social media post Description automatically generated
  6. In the System name field type msDS-GroupManagedServiceAccount
  7. In the Display name field type msDS-GroupManagedServiceAccountA screenshot of a social media post Description automatically generated
  8. Click Finish
  9. Click Submit
  10. (Optional) Repeat Steps 5-9 for msDS-ManagedServiceAccount
  11. Click button for Bindings.
    1. Click New.
    2. Type msDS-GroupManagedServiceAccount in the Resource Type field.
    3. Click the Validate and Resolve button.
    4. Type AccountName in the Attribute Type field.
    5. Click the Validate and Resolve button.
    6. Click Finish and then Submit.
  12. Repeat Bindings steps for ObjectSid (attribute will resolve to Resource SID).

Task 2: Add msDS-GroupManagedServiceAccount as an object type to the FIM Management Agent

  1. Click Administration from the Navigation pane
  2. Click All Resources
  3. Click Next arrow (or type 2) in the lower right-hand corner
  4. Click Synchronization FilterA screenshot of a social media post Description automatically generated
  5. Click Synchronization Filter
  6. Select the Extended Attributes tab.A screenshot of a social media post Description automatically generated
  7. Add msDS-GroupManagedServiceAccount to the end of the list.
  8. (Optional) Add msDS-ManagedServiceAccount if needed.
  9. Click the Check button to validate and resolve.
  10. Click OK.
  11. If prompted, click Submit to confirm the changes being made.

Task 3: Add msDS-GroupManagedServiceAccount as an object type on the MIM Sync Server

  1. Open the Synchronization Service
  2. Select MetaVerse Designer from the ribbon menu
    1. From the Actions menu, click Create Object Type.
    1. In the Object type name field, type msDS-GroupManagedServiceAccount.
    1. Select the following attributes:  accountname, cn, csObjectID, description, displayname, domain, objectSid.
    1. NOTE: If anyone of the attributes does not already exist, click the New attribute… button to create them. 
      1. Type the name of the attribute
      1. Select the attribute type, String (indexable)
      1. Click OK.
  3. Click OK.

Task 4: Update the FIM Management Agent schema on the MIM Sync Server

  1. Open the Synchronization Service.
  2. Select the FIM Service Management Agent.
    1. From the Actions menu, click Refresh
    2. A screenshot of a social media post Description automatically generated
    3. Click OK, to proceed with the refresh.
    4. Input the management agent service account password. Click OK.
    5. Once the schema has been updated, click Close.
    6. Run a Delta Import (if prompted to run a Full do so) followed by a Full Sync.
    7. Right-click the FIM Service Management Agent and select Properties.
    8. In the Management Agent Designer pane, click Select Object Types.A screenshot of a cell phone Description automatically generated
    9. In the Select Object Types pane, click Show All and select: msDS-GroupManagedServiceAccounts
    10. In the Management Agent Designer pane, click Select Object Type MappingsA screenshot of a social media post Description automatically generated
      1. Select msDS-GroupManagedServiceAccounts
      2. Click Add Mapping and select msDS-GroupManagedServiceAccounts
      3. Click OK.
    11. In the Management Agent Designer pane, click Select Attribute Flow.A screenshot of a cell phone Description automatically generated
      1. In the Configure Attribute Flow pane, expand Object Type: msDS-GroupManagedServiceAccounts
      2. Make sure that AccountName to AccountName is setup as an Import and Export flow.
    12. Click OK at the bottom.
    13. (Optional) Repeat all necessary steps above in this task for msDS-ManagedServiceAccount

Task 5: Update the Active Directory Management Agent on the MIM Sync server

  1. Open the MIM Synchronization Service
  2. Select the Active Directory Management Agent, click Properties
  3. In the Management Agent Designer pane, click Select Object Types
  4. In the Select Object Types pane, click Show All and select:
    1. msDS-GroupManagedServiceAccount
    2. (Optional) msDS-ManagedServiceAccount
  5. In the Management Agent Designer pane, click Select Attributes
  6. In the Select Attributes pane, select (or Verify)
    1. CN
    2. Description
    3. Name
    4. sAMAccountName
  7. Click OK.

Task 6: In the MIM Portal, create an Inbound Sync Rule for the gMSA’s.

Image 1
Image 2
Image 3
  1. Navigate to Adminsitration | Synchronization Rules
  2. Click New (See Image 1)
  3. Perform the following steps
    1. Type out a Display Name and Desscription
    2. Select Inbound
    3. Click Next.
  4. On the Scope tab do the following
    1. (See Image 2) Select msDS-GroupManagedServiceAccount for MetaVerse Resource Type
    2. Select “Active Directory Management Agent” for External System
    3. Select msDS-GroupManagedServiceAccount for External System Resource Type
    4. Click Next
  5. On the Relationship tab:
    1. Click Add Condition
    2. Select objectSID for the first and second drop-downs
    3. Click Next
  6. On the Inbound Attribute Flow tab:
    1. Click New Attribute Flow
    2. Add Description for the Source and Description for the Destination
    3. Click OK.
    4. Repeat for objectSID, sAMAccountName, cn, and name
    5. For name choose displayName as the Destination
    6. Lastly, for the domain, do the following:
    7. Select String for the Source and type the name of your domain in the blank field (e.g. Contoso). Select domain for the Destination.
    8. Click OK.
  7. Click Submit.

Task 7: In the MIM Portal, create a Set and MPR to give permission for the gMSA’s to be added to the MIM Portal when synchronizing

  1. Open the MIM Portal.
  2. Navigate to Sets
    1. Click New.
    2. Type in a Display Name, click Next.
    3. Where it reads “all resources”, change it to msDS-GroupManagedServiceAccount.  Make no other modifications.
    4. Click Finish. Click Submit.
  3. Navigate to Management Policy Rules.
    1. Click New.
    2. Type in a Display Name, click Next.
    3. In the Specific Set of Requestors box, type Synchronization Engine.  Click the Validate and Resolve button.
    4. In the Operation section, check the following box: Create resource.
    5. In the Permissions section, check the following box: Grants permission.
    6. Click Next.
    7. In the Target Resource Definition After Request field, type the Display Name of the Set that was created in Step 2. Click the Validate and Resolve button.
  4. Click Finish.
  5. Click Submit.

Perform all necessary Run Profiles (e.g. Delta Sync, Delta Import, Full Sync, Full Import, Export) to complete the process of bringing in the gMSA objects from AD into your Metaverse.

Author

Published